The conversations surrounding risk management are now evolving and becoming more resilience-centric. Risk teams, senior management, and the board are not just pondering over questions such as – How can we prevent the loss? What can we do to minimize the damage? – but also – How do we increase investor value? How do we create equilibrium among economic, social, and environmental aspects of our business? How do we maximize customer retention? How can we be better prepared in the future? What can we do to turn risk into a strategic advantage? How can we thrive on risk?
Let’s explore what the GRC landscape looks like for BFS organizations around the globe and what the future holds.
The radical shift in BFS operations, such as remote and hybrid working models, amplified digitization efforts, pivot towards cloud computing, and growing dependency on third-party service providers, are likely to stay even after the pandemic is over and its impact recedes. This, along with the heightened regulatory scrutiny and evolving risk profile, has renewed the much-needed focus on GRC. According to Gunjan Sinha, Executive Chairman at MetricStream, the pandemic has triggered the third wave of GRC—the first wave was driven by the financial crisis of 2008 and the second was spurred by technological breakthroughs somewhere around 2015.
Here is a look at some of the key GRC challenges that the BFS industry faces today.
To contend with the pandemic-led disruption, BFS enterprises had to accelerate the pace of digital transformation—condensing the digitalization timelines from years to a matter of weeks. Furthermore, as work moved home—beyond the reach of the office firewall and enterprise security mechanism, the entire workforce became more susceptible to cyberattacks. In this new, digital-first operational environment with hyper-connected businesses, the cyberattack surface of organizations is continuously expanding and not just limited to their own infrastructure.
Furthermore, the digital interconnectedness of BFS organizations with third-party vendors has amplified considerably in the post-COVID world. To then view cyber risks without factoring in third-party cyber risks would not present a complete picture. The recent spurt in the number of security breaches has underscored the growing third-party cyber risks—how a security incident at one organization can quickly travel and paralyze several other connected businesses. They also often are left with an extremely short window of time to react to any such emerging or existing risk event.
In addition, BFS companies are increasingly facing cloud concentration risk due to over-dependence on one service provider for critical services. In the past couple of years, the pivot towards cloud adoption has increased as it offers several benefits such as scalability, cost savings, speed and agility, and more. However, the cloud market today is being dominated by a handful of major players, making organizations vulnerable to cloud concentration risk—a single point of failure at one service provider could quickly morph into systemic risk.
The sudden onset of the pandemic and the subsequent lockdowns have impacted organizations in more ways than one. In 2019, Boston Consulting Group estimated that financial service firms are 300 times more likely to experience a cyberattack than other firms. The analysis was done before the pandemic disrupted operations across industries.
In a report published in January 2020, the Federal Reserve Bank of New York assessed the spillover impact of cyberattacks due to the interconnectivity of banks. According to the report, a cyberattack on any of the five most active U.S. banks will result in significant spillovers to other banks, with 38 percent of the network affected on average.
In the EU, a joint committee report on “Risks and vulnerabilities in the EU financial system” by the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), and the European Insurance and Occupational Pensions Authority (EIOPA) noted that financial institutions in the common currency area had to rapidly adapt their technical infrastructure in response to the pandemic.
According to a Ponemon Institute study, 70% of UK financial sector firms suffered cyber attacks in 2020. 57% of the survey participants said that the switch to remote ways of working due to the pandemic made the employees more vulnerable to cyber attacks.
The digital financial ecosystem has been steadily flourishing in APAC in recent years. According to McKinsey, the number of active digital banking users in APAC increased to 88 percent in 2021, up from 65 percent four years before. To meet the preferences of these digital-savvy customers, banks and financial institutions also have been increasingly adopting a digital and mobile-first approach.
The pandemic has further propelled the pace of digital transformation at BFS organizations in the region, resulting in increased digital interconnectedness of people, processes, and organizations. This, along with the remote working environment, has made BFS organizations more vulnerable to cyber attacks. According to Check Point Research, there has been a staggering 168% increase year on year in the number of cyber attacks in APAC in May 2021 and an organization faces 1,245 weekly attacks.
With the growing reliance on vendors, such as business consultants and contractors, payment gateways, service providers, and others, for key operations and services, BFS organizations today have a highly complex extended ecosystem. The complexities are turned up a notch with fourth and subsequent parties.
While outsourcing tasks to vendors help to dramatically cut down on costs and enhance competitiveness, it introduces several governance and risk management challenges, such as those stemming from non-compliance, unethical practices, financial risks including vendor bankruptcy or business disruption, exposure to Tier 2 vendors, legal issues, and access to confidential data. It becomes imperative, therefore, to proactively identify these risks and implement the appropriate controls to manage the supplier network effectively and keep the associated risks in check.
In July 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) proposed guidance on managing risks associated with third-party relationships. In the proposed guidance, the agencies have detailed a framework of sound risk management principles to assist banking organizations in managing vendor relationships and promote compliance with all applicable laws and regulations.
In EU and UK, BFS organizations faced a twin blow – the pandemic and the Brexit. The latter has resulted in a lot of uncertainty for this sector—from passporting being discontinued to restructuring business models – relocating employees, assets, and operations, to evaluating third-party arrangements with organizations based in other countries, to evolving regulatory landscape, and beyond.
In the EU, the EBA published revised Guidelines on Outsourcing Arrangements in 2019, which includes specific provisions for financial institutions’ governance frameworks with regard to their outsourcing arrangements and the related supervisory expectations and processes.
Moreover, with the discontinuance of MiFID 2 passporting facility between the European Union and the UK, the unfettered access enjoyed by firms in the two jurisdictions also came to an end. According to official government figures dated September 2016, around 5,500 UK-registered financial services firms held at least one passport to do business in another EU member state, while over 8,000 EU-based firms were authorized to do business in the UK.
Following Brexit, UK BFS organizations are now compelled to explore local or foreign third parties and establish working relationships, arrangements, and models similar to what existed between the two global economic powers. The entire process of profiling and onboarding new third parties could be an extremely time-consuming process and is a major risk area for BFS organizations.
In March 2021, the UK Prudential Regulation Authority (PRA) published the Policy Statement and Supervisory Statement which set out its expectations of how PRA-regulated firms should ensure compliance with regulatory requirements relating to outsourcing and third-party risk management.
Regulators in the Asia Pacific have also taken note of the growing reliance of BFS organizations on third-party service providers and associated cyber risks. In January 2021, the Monetary Authority of Singapore (MAS) issued revised Technology Risk Management Guidelines, addressing technology and cyber risks amid the growing use of cloud technologies, integrations via APIs, and rapid technology adoption by financial institutions (FIs).
In 2019, the Australian Prudential Regulation Authority (APRA) published the Prudential Standard CPS 234 Information Security (CPS 234) in order to ensure that organizations have measures in place to be resilient against information security incidents, including cyberattacks. This requires APRA-regulated entities to assess the third-party’s security capabilities, among other things.
A white paper commissioned by the Hong Kong Monetary Authority (HKMA) and developed by KPMG, noted the growing vulnerability of banks to third-party risks. Underscoring the benefits of third-party risk management-related technologies, it said, “These solutions typically collect data from a variety of sources, analyse key indicators to generate risk scores, and provide a portfolio management view of third-party relationships. These tools can improve accuracy and reduce the cost of TPRM activities.”
How Mastercard Built a Safer Payments Ecosystem with a Fourth-Party Risk Monitoring Program
Being one of the world’s largest payments technology providers, Mastercard has a highly complex operational ecosystem comprising of several third- and fourth-party vendors. Previously, the company had no visibility into the risk controls in place for fourth parties brought by customers to its ecosystem. To overcome this challenge, the payments giant took a proactive step of building a new fourth-party risk management program from the ground up. It chose MetricStream Third-Party Risk Management, built on the MetricStream Platform and running on the AWS cloud.
With the implementation, Mastercard now has a unified, holistic view of all third- and fourth-party risks and can perform faster risk assessments with automatic segmentation of fourth parties into various risk categories. The efficiency of assessment processes has significantly improved with the automatic distribution of questionnaires and population of responses. The solution also provides actionable and timely fourth-party risk insights, thereby accelerating Mastercard’s risk response.
Financial regulatory authorities around the globe are constantly devising new regulations, regulatory updates, guidance, standards, and more to protect the interest of customers and related stakeholders as well as to strengthen the resilience of the financial sector. The escalating number of the resulting regulatory requirements, such as those related to Basel III’s risk-weighted capital requirements, anti-money laundering, General Data Protection Regulation (GDPR), capital requirements, customer protection, and more, has made regulatory compliance a highly demanding business function. To put things in perspective, financial institutions today have to handle an average of 257 regulatory alerts per day compared to just 10 regulatory alerts per day back in 2004, according to Thomson Reuters.
The fines for non-compliance with Anti-Money Laundering (AML), Know your Customer (KYC), data privacy, and MiFID regulations totaled $10.6 billion for the financial sector in 2020, marking a 27% rise from the year before, according to Fenergo. Non-compliance does not only result in a monetary loss but also could lead to reputational damage and loss of stakeholder trust.
More recently, with the growing focus on Environmental, Social and Corporate Governance (ESG), the BFS sector is likely to face a fresh wave of regulations related to climate risk disclosures. Gunjan believes that ESG will drive the fourth wave of GRC, and it seems it is already starting to take shape. In June 2021, the U.S. House of Representatives passed a legislation that would require publicly traded companies, including those operating in the financial sector, to disclose information about their exposure to climate-related risks.
In March 2022, the Securities and Exchange Commission proposed rule changes that would require companies to include certain climate-related disclosures in their registration statements and periodic reports. This includes information about climate-related risks that can have a material impact on their “business, results of operations, or financial condition, and certain climate-related financial statement metrics in a note to their audited financial statements.”
In the EU, the European Commission published its draft Digital Operational Resilience Act (DORA) in 2020 as part of its efforts to ensure that financial system participants have the necessary safeguards in place to mitigate cyber attacks and other risks.
The EC is also highly focused on ESG considerations. In April 2021, it adopted a comprehensive package of measures to help improve the flow of money towards sustainable activities across the European Union. This includes, among other things, a proposal to revise and strengthen the existing rules introduced by the Non-Financial Reporting Directive (NFRD). The objective is to bring sustainability reporting on par with financial reporting.
“It will extend the EU's sustainability reporting requirements to all large companies and all listed companies. This means that nearly 50,000 companies in the EU will now need to follow detailed EU sustainability reporting standards, an increase from the 11,000 companies that are subject to the existing requirements,” the EC said.
In Germany, legislative authorities are introducing a new law, touted to be more efficient than earlier versions, in handling white-collar crime. The proposed corporate sanctions act—VerSanG—seeks to strengthen business integrity, will provide a legal basis for authorities to penalize corporate misconduct, while also strengthening incentives around compliance. In addition, to ensure that organizations have robust risk identification and mitigation capabilities, the Institut der Wirtschaftsprüfer in Deutschland or the Institute of Public Auditors in Germany (IDW) revised the IDW PS 340 n.F. on the audit of the early risk detection system. Starting 01 January 2021, the revised standard is mandatory for all listed companies.
On 29 March 2021, the BoE, along with the PRA and the Financial Conduct Authority (FCA) published their final policy on “Operational resilience: Impact tolerances for important business services”. The new rules relating to operational resilience will come into force on 31 March 2022.
The regulators have also been actively working in the area of ESG. In July 2021, they published a discussion paper that sets out policy options including, among others, the use of targets for representation, measures to make senior leaders directly accountable for diversity and inclusion in their firms, linking remuneration to diversity and inclusion metrics and the regulators’ approach to considering diversity and inclusion in non-financial misconduct. Furthermore, corporate disclosures based on recommendations from the Task Force on Climate-related Financial Disclosures (TCFD) will be mandatory for large UK-registered companies and financial institutions from April 6, 2022.
In addition, the UK government also intends to revise the UK GDPR following Brexit and has launched a consultation on these lines. It has also started working on the UK equivalent of the US Sarbanes-Oxley Act (SOX)—a federal law to protect investors by improving the accuracy and reliability of corporate disclosures.
In APAC, monetary authorities in Singapore, Australia, India, Thailand, and other countries are actively issuing guidelines, regulations, and frameworks to strengthen cyber resilience of financial institutions.
Operational resilience is also high on the radar for APAC financial regulators. In December 2021, the HKMA published a manual that sets out its supervisory approach to operational resilience and provides authorized institutions with guidance on the general principles to consider while developing their operational resilience framework.
In the wake of the recent spurt in SMS-phishing scams targeting bank customers, the MAS and the Association of Banks in Singapore (ABS) announced a set of additional measures to bolster the security of digital banking in January 2022. Previously in October, the monetary authority issued a second consultation document for revising the existing Guidelines on Business Continuity Management.
In Australia, APRA is expected to issue standards for operational resilience this year. In November 2021, it released its final prudential practice guide on climate change financial risks to assist banks, insurers, and superannuation trustees to manage the financial risks of climate change.
ESG is garnering a lot of regulatory interest in the APAC region. Financial authorities are increasingly issuing guidelines on environmental risk management for banks, conducting climate risk stress tests, and more.
Regulatory activity is going to only amplify going forward, making compliance management a highly demanding business function. To put things in perspective, financial institutions today have to handle an average of 257 regulatory alerts per day compared to just 10 regulatory alerts per day back in 2004.
In addition to cyber and regulatory risks, the BFS sector today is navigating an extremely unsettled business landscape with geopolitical power shifts, growing instances of natural calamities, pandemic-driven global economic slowdown, and other such factors.
Managing operational risks is a daunting proposition as BFS companies face diverse types of risks with varying frequency and velocity. It then becomes imperative to understand the risks not only in isolation but also their interconnectedness to gauge their true potential impact. The challenges are exacerbated when organizations have a traditional approach to risk management with siloed and manual processes, obsolete tools and technologies, low frontline engagement, and a lack of risk-aware culture.
According to a Congressional Research Service report, the resurgence of infectious cases not just in the U.S. but around the globe has renewed calls for lockdowns and curfews and threatens to weaken or delay a potential sustained economic recovery into mid to late 2021. The country also suffers a number of natural catastrophes throughout the year, including floods, tropical cyclones, wildfires, etc., which disrupt business operations and result in colossal losses running into billions of dollars.
Not just these external factors, but internal factors too, such as breakdown of IT infrastructure, lack of appropriate controls, etc., can disrupt operations. According to Feedzai, there has been a 159% jump in banking fraud attacks in Q1 2021 compared to Q4 2020.
Brexit marked the end of an era and a fresh beginning for the UK and EU in ways more than one. The historic event was bound to have implications on the BFS industry. The UK-EU Trade and Cooperation Agreement (TCA), which came into force on May 01, 2021, largely left out the financial services sector. This essentially means that trade between the two sides is to be managed through mutual unilateral equivalence decisions.
In a survey conducted by EY, over a quarter of the UK financial services firms stated that Brexit is impacting or will negatively impact their business. 43% of the survey respondents said that they have moved or plan to move some UK operations and/or staff from the UK to Europe.
In addition to the turbulence caused by Brexit, the EU and UK BFS had to deal with the pandemic-led disruption. In May 2021, the European Central Bank (ECB) noted that market sentiment towards banks has substantially improved in the past couple of months but cautioned against financial stability risks due to the “uneven economic impact” of the pandemic.
In its Financial Stability Report, published in July 2021, the Bank of England (BoE) noted that major UK banks have been resilient to the challenges posed by the pandemic, adding that their capital and liquidity positions remain strong. According to HM Treasury data, the banking and finance industry has provided more than £75 billion in finance to 1.63 million UK businesses through government-backed coronavirus lending schemes.
Speaking of internal factors, breakdown of IT infrastructure, lack of appropriate controls, etc., can also greatly disrupt operations. According to UK Finance, a total of £753.9 million was stolen through banking fraud in the first half of 2021, marking a 30 percent increase on the same period in 2020.
In its October 2021 issue of Regional Economic Outlook for Asia and Pacific, the International Monetary Fund (IMF) said that it expects the region to grow slightly faster in 2022 as vaccination rates accelerate, but noted the growing divergence between Asian advanced economies and emerging market and developing economies.
“Risks are tilted to the downside, mainly because of uncertain pandemic dynamics, vaccine efficacy against virus variants, supply chain disruptions, and potential global financial spillovers from US monetary normalization in the presence of domestic financial vulnerabilities,” the report states.
Rapid technological advancements, particularly in the past decade, and the influx of fintech startups have shaken up the traditional BFS sector. These new-age, tech-driven companies have come and conquered the market by offering financial products and services at competitive prices. This has essentially compelled legacy organizations to rethink their business models and go-to-market strategies.
To protect and grow their market share, the BFS sector is now shifting towards more customer-centric products and services and even entering into digital partnerships or merger and acquisitions (M&A) deals with fintechs or acquiring them to capitalize on their technological and agile capabilities.
According to S&P Global, with 19 M&A deals announced in July 2021, U.S. bank M&A activity has climbed back to pre-pandemic levels, bringing 2021's total deal announcements to 116, compared with 111 overall of 2020.
According to S&P Global Market Intelligence, the number of banking M&A in Europe in 2021 is likely to outstrip the total in 2020. In a report dated 21 September 2021, it said that the volume of transactions had already reached about 80% of the volume for the whole of 2020 – 39 deals have been either announced or closed, compared to 48 deals for all of 2020.
In the first half of 2021, the UK financial services industry announced 121 M&A deals – more than double of the 57 deals announced during the same period in 2020, as per the EY M&A analysis. EY said that M&A activity is expected to improve further in the latter half of 2021 as the economic recovery accelerates.
According to PwC, financial services M&A deals (excluding the insurance sector) in APAC stood at 1630 in 2021, marking a 12% increase from the year before. Also, APAC financial services M&A deals accounted for around 32% of the global financial services M&A deals in 2021.
There is also a dearth of skilled risk professionals in the APAC BFS industry. In the 11th annual EY/IIF global bank risk management survey, 100% of Asia-Pacific respondents said that their talent pool was not prepared to meet the evolving needs of the risk management function over the next three years.
Chief risk officers will need to upskill and adopt new technologies to effectively manage risks around climate change, cybersecurity, and operational resilience.
The GRC practices and approaches of BFS companies have evolved considerably over the years. Going forward, we believe that the GRC function in this sector will continue to evolve and be driven by multiple simultaneous forces including technological advancements, ESG, stricter regulatory scrutiny, cyber threats, complex extended ecosystem, and hybrid working models.
For any organization, the ultimate goal of implementing a GRC program is to be future-ready and resilient when faced with any disruption or risk event. So, what does it mean to be truly resilient? Resilience management goes beyond the traditional approach to risk management to involving risk foresight, planning, and mitigation measures to ensure that the organization has:
It is only then that the organization can truly thrive and create business value. Here are the few key considerations for BFS companies to maintain and sustain their resilience:
An integrated approach to GRC facilitated through a standardized GRC taxonomy and coordination and harmonization between various functions—risk, compliance, audit, IT, third-party, business continuity, legal, and finance—is a business imperative today. This approach will cut across organizational silos, eliminate redundancies and duplication of efforts, enhance visibility into top risks and efficacy of controls, and ensure alignment between corporate centers and local business units, thereby enhancing overall efficiency.
A strong risk culture is critical for ensuring resilience—whether financial, operational, vendor or cyber resilience. Setting the tone at the top for a risk-aware culture and reinforcing it by maintaining transparency, establishing standards for ethical business practices, encouraging effective communication channels, and setting expectations and accountabilities for employees can help achieve this goal.
Banks and financial institutions must also undertake measures to strengthen their financial resilience to ensure financial viability and sustainability. BFS organizations around the world are required to adhere to the regulatory requirements pertaining to Capital Adequacy Ratio (CAR) and impact tolerances. The benefits are, however, are far more than just compliance. While CAR helps to ensure that banks have the ability to absorb a certain amount of losses, setting impact tolerances provides a better understanding of their critical business functions and helps to identify areas that need improvement.
To thrive in this dynamic business environment, relying on manual processes and out-of-date technology for GRC is highly ineffective. By automating workflows and risk management systems, advanced technologies, such as artificial intelligence, machine learning, etc., can considerably improve the risk foresight of GRC professionals and provide them with timely and actionable risk insights for making risk-aware, data-driven business decisions. Leveraging these next-generation technologies is a must today for BFS organizations to also maintain their competitive edge against emerging fintech companies and startups.
A key challenge faced by chief risk officers is effectively communicating the risks to the senior management and board. Quantifying risks in monetary terms can better equip them to explain the risks in a comprehensible manner as well as help in the prioritization of risks and controls and determining how much to spend on each control. It also helps with conducting scenario planning and stress testing drills that empower risk teams to not only identify early warning signs but also to tackle risk events swiftly, confidently, and efficiently.
Frontline employees are the lifeline of any organization. They are the closest to the customers and manage risks and compliance issues associated with daily operational activities. As such, they are more likely to spot risks and vulnerabilities. Engaging frontline employees in GRC activities and encouraging them to proactively report any anomalies or issues, such as those related to non-compliance, suspicious transactions, etc., can go a long way to help BFS organizations to safeguard their operations.
Just implementing a robust GRC program is not going to engender the desired results. It requires continuous monitoring to proactively identify any gaps or loopholes that might exist and ensure that the program is relevant and running efficiently and the controls are effective.
The interest and focus on ESG aspects has heightened in recent years. From sustainable and ethical practices to diversity and inclusion in the workforce to a safe workplace, to pay equality, and more, organizations today are being increasingly held accountable for their ESG programs and metrics. In this age of social media and speak-up culture, organizations must think beyond profits and work towards becoming purpose-driven – be the real architects of a sustainable future.
MetricStream offers the most comprehensive solutions based on a single platform that includes Operational Risk, Compliance, Audits, IT and Cybersecurity, Business Continuity, and Third-Party Risk Management. We are the world’s largest independent GRC software provider with an extensive experience of working with banking and financial institutions around the globe.
The MetricStream Operational Resilience solution brings all aspects of an operational resilience framework into a single unified platform. The solution helps BFS companies achieve operational resilience by seamlessly embedding risk management practices into compliance, cybersecurity, vendor risk management, and business continuity planning to prepare for potential disruptions. A single, integrated, interconnected data model unites data, removes friction between functional silos, and serves as a single source of truth for real-time, risk-aware decision making. The solution helps organizations to improve risk and control framework related operational efficiency by 80%.
MetricStream ConnectedGRC empowers organizations to pursue an integrated approach to GRC and ensure collaboration between risk, compliance, audit, cybersecurity, and sustainability teams. This highly collaborative approach enables businesses to better identify, assess, manage, and mitigate strategic risks, operational and enterprise risks, IT and cyber risks, third-party risks, compliance risks, and ESG risks. Designed with advanced analytics and AI capabilities at its core, our products and solutions deliver GRC best practices to meet the evolving needs of today’s dynamic enterprises.